Health IT and Electronic Health Activate your FREE membership today |  Log-in

Data Security for HIPAA Compliance

May 14 2010   10:16AM GMT

Risk Management Framework is Key to HIPAA Compliance – NIST HIPAA Conference Part 1

Posted by: Azaltsman
breach notification, HHS, HIPAA, HIPAA Security Rule, OCR, phi, Risk Management, RMF

Risk management was the centerpiece of discussions at the 2010 NIST HIPAA Security Conference. In her presentation, Pat Toth, a computer scientist working for NIST (National Institute of Standards and Technology), discussed the importance of the integrating risk management and security into your enterprise computing environment.  Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

In order to help the government and private industry standardize on a risk management process NIST created the RMF – Risk Management Framework. The framework into 6 steps:

  • Categorize the information systems
  • Select security controls
  • Implement security controls
  • Access security controls
  • Authorize information systems
  • Monitor security controls
A guide is written on each process and documents the steps necessary to complete the research. The RMF is not a new concept, nor is it a new guide. Instead, the RMF is a process by which all IT systems could benefit.
The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.
The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: